CVE-2023-0614 ldb: Add function to take ownership of an ldb message

Many places in Samba depend upon various components of an ldb message
being talloc allocated, and hence able to be used as talloc contexts.
The elements and values of an unpacked ldb message point to unowned data
inside the memory-mapped database, and this function ensures that such
messages have talloc ownership of said elements and values.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/lib/ldb/ABI/ldb-2.8.0.sigs b/lib/ldb/ABI/ldb-2.8.0.sigs
index 3e2c9262d967e16e8d7d3d783356407b788d7193..f1ba036c0a1ae67fcd2bf57db3215a66cbaeda1b 100644 (file)
--- a/lib/ldb/ABI/ldb-2.8.0.sigs
+++ b/lib/ldb/ABI/ldb-2.8.0.sigs
@@ -176,6 +176,7 @@ ldb_msg_element_compare_name: int (struct ldb_message_element *, struct ldb_mess
 ldb_msg_element_equal_ordered: bool (const struct ldb_message_element *, const struct ldb_message_element *)
 ldb_msg_element_is_inaccessible: bool (const struct ldb_message_element *)
 ldb_msg_element_mark_inaccessible: void (struct ldb_message_element *)
+ldb_msg_elements_take_ownership: int (struct ldb_message *)
 ldb_msg_find_attr_as_bool: int (const struct ldb_message *, const char *, int)
 ldb_msg_find_attr_as_dn: struct ldb_dn *(struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, const char *)
 ldb_msg_find_attr_as_double: double (const struct ldb_message *, const char *, double)

diff --git a/lib/ldb/common/ldb_pack.c b/lib/ldb/common/ldb_pack.c
index 865fc70fb033929bf51b4b67ab9af37d70a41259..801e7f4996a84173b50739db3f46569248f611fd 100644 (file)
--- a/lib/ldb/common/ldb_pack.c
+++ b/lib/ldb/common/ldb_pack.c
@@ -690,6 +690,7 @@ static int ldb_unpack_data_flags_v1(struct ldb_context *ldb,
                element->values = NULL;
                if ((flags & LDB_UNPACK_DATA_FLAG_NO_VALUES_ALLOC) && element->num_values == 1) {
                        element->values = &ldb_val_single_array[nelem];
+                       element->flags |= LDB_FLAG_INTERNAL_SHARED_VALUES;
                } else if (element->num_values != 0) {
                        element->values = talloc_array(message->elements,
                                                       struct ldb_val,
@@ -932,6 +933,7 @@ static int ldb_unpack_data_flags_v2(struct ldb_context *ldb,
                if ((flags & LDB_UNPACK_DATA_FLAG_NO_VALUES_ALLOC) &&
                    element->num_values == 1) {
                        element->values = &ldb_val_single_array[nelem];
+                       element->flags |= LDB_FLAG_INTERNAL_SHARED_VALUES;
                } else if (element->num_values != 0) {
                        element->values = talloc_array(message->elements,
                                                       struct ldb_val,
@@ -1259,3 +1261,42 @@ failed:
        TALLOC_FREE(filtered_msg->elements);
        return -1;
 }
+
+/* Have an unpacked ldb message take talloc ownership of its elements. */
+int ldb_msg_elements_take_ownership(struct ldb_message *msg)
+{
+       unsigned int i = 0;
+
+       for (i = 0; i < msg->num_elements; i++) {
+               struct ldb_message_element *el = &msg->elements[i];
+               const char *name;
+               unsigned int j;
+
+               name = talloc_strdup(msg->elements,
+                                    el->name);
+               if (name == NULL) {
+                       return -1;
+               }
+               el->name = name;
+
+               if (el->flags & LDB_FLAG_INTERNAL_SHARED_VALUES) {
+                       struct ldb_val *values = talloc_memdup(msg->elements, el->values,
+                                                              sizeof(struct ldb_val) * el->num_values);
+                       if (values == NULL) {
+                               return -1;
+                       }
+                       el->values = values;
+                       el->flags &= ~LDB_FLAG_INTERNAL_SHARED_VALUES;
+               }
+
+               for (j = 0; j < el->num_values; j++) {
+                       struct ldb_val val = ldb_val_dup(el->values, &el->values[j]);
+                       if (val.data == NULL && el->values[j].length != 0) {
+                               return -1;
+                       }
+                       el->values[j] = val;
+               }
+       }
+
+       return LDB_SUCCESS;
+}

diff --git a/lib/ldb/include/ldb_module.h b/lib/ldb/include/ldb_module.h
index 8449294744d8aa142b3d7d0bc30d942019f9ccad..31ff8ddcf1218c4699cc8f14e39ab17f71cb22e4 100644 (file)
--- a/lib/ldb/include/ldb_module.h
+++ b/lib/ldb/include/ldb_module.h
@@ -542,6 +542,10 @@ int ldb_filter_attrs(struct ldb_context *ldb,
                     const struct ldb_message *msg,
                     const char *const *attrs,
                     struct ldb_message *filtered_msg);
+
+/* Have an unpacked ldb message take talloc ownership of its elements. */
+int ldb_msg_elements_take_ownership(struct ldb_message *msg);
+
 /*
  * Unpack a ldb message from a linear buffer in ldb_val
  *